Can't ping server in DMZ1 from Inside interface

Unanswered Question
May 14th, 2008
User Badges:

Hi all, I cannot ping a server that has ip 62.15.25.25 from a server that exists on an Inside interface with the ip of 172.17.2.50.



In our PIX 515, I have the following references to our references to either server.


nat (inside) 2 172.17.2.50 255.255.255.255 0 0

static (inside,outside) tcp 62.15.25.26 smtp 172.17.2.50 smtp netmask 255.255.255.255 0 0

aaa-server authinbound (inside) host 172.17.2.50 testkey timeout 10



access-list 101 permit tcp host 62.15.25.25 any eq smtp

access-list 101 permit ip host 62.15.25.25 host 172.16.2.1

access-list 101 permit ip host 62.15.25.25 host 172.17.1.32

access-list 30 permit tcp any host 62.15.25.25 eq domain

access-list 30 permit udp any host 62.15.25.25 eq domain

static (dmz1,outside) 62.15.25.25 62.15.25.25 netmask 255.255.255.255 0 0

static (inside,dmz1) 62.15.25.25 172.17.2.120 netmask 255.255.255.255 0 0



Any ideas?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
srue Wed, 05/14/2008 - 11:20
User Badges:
  • Blue, 1500 points or more

you've only posted bits of the config....which are useless without other parts.

whatever acl is applied to your dmz interface, add something like:

access-list acl_name permit icmp any any echo-reply


or turn on icmp inspection if running 7.x or later.

acomiskey Wed, 05/14/2008 - 11:51
User Badges:
  • Green, 3000 points or more

What is this static supposed to do?


static (inside,dmz1) 62.15.25.25 172.17.2.120 netmask 255.255.255.255 0 0


All you should need is...


static (inside,dmz1) 172.17.2.0 172.17.2.0 netmask 255.255.255.0


Then ping 62.15.25.25

slayerhawk Wed, 05/14/2008 - 11:52
User Badges:

I'm not sure what that static does, I am new to PIX.



slayerhawk Wed, 05/14/2008 - 11:53
User Badges:

The interesting thing is that all other servers on the 172.17.2.0 subnet can ping the 62.15.25.25 address....Just 172.17.2.50 cannot ping it.


slayerhawk Thu, 05/15/2008 - 05:10
User Badges:

I found this statement in the PIX and I don't know what it does. Can someone explain what it does for me?


nat (inside) 2 172.17.2.50 255.255.255.255 0 0


I removed it from the PIX and my 172.17.2.50 server was then able to ping the 62.15.25.25 address.


Any ideas?

acomiskey Thu, 05/15/2008 - 05:47
User Badges:
  • Green, 3000 points or more

There should also be a corresponding global statement with the number 2.


global (xxxxx) 2 ....

slayerhawk Thu, 05/15/2008 - 06:27
User Badges:

I do have global statements that look like this, but they don't reference the ip address of 172.17.2.50.


global (outside) 2 xxx.xxx.xxx.xxx

global (outside) 2 xxx.xxx.xxx.xxx

global (outside) 2 xxx.xxx.xxx.xxx


These global statements only reference extneral ip addresses, but not the DMZ.


Actions

This Discussion